Decoding the CMMC 2.0 Enigma - Jered Bare

uh I'm really surprised if I was here to looking for compliance to be honest with you I expected like three people so thank you for showing up I appreciate it this I'm going to try to make this as Hands-On as possible it's lot it's really hard to cover in 30 minutes um but I really want to cover the 30,000 foot overview of the cmmc because it's something that's coming down especially if you're com has like FCI contracts or handle cui data so let's jump into it a little bit about myself I'm a cyber security engineer primarily focused on Cyber defense I do a lot of this response from my organization and I'm diving into the

wonderful world of application security and that is a lot of fun I do serve part-time the International Guard so I am pretty familiar with some of these compliance profiles that are coming down and more recently I've been helping out doing C MMC assessments both level one and level two we're gapping out is to help some of these companies try to meet that level one level two certification and jumping into it uh I've learned a lot of things and that's why I want to share this with you all because I think it's very very interested but what the heck is a CM MMC is it a car absolutely not it is a security framework set put together by

the Department of Defense uh they it is a certification that you obtain if you're handling FCI or cui data so you have Federal contact contract information if you're doing business with the government we provide any quotes uh they took the cmmc certification and they're basing that mostly off n 171 and we'll cover the different levels but they're going to be wrapping in Miss 172 uh into the level three framework but if you handle typing type FCI or cui data uh you will need to be C and MC certified depending on what level you're going after and we got two levels uh two versions of it actually so the old version 1.0 used to be five different

levels you had to meet and really complex and then now the newest CMC 2.0 is three levels and I frankly like this a lot better it's a lot more clean so a lot more condens and they have really a straight guide to follow depending on what level certification from on after and so with this 171 you have 110 requirements that you have to meet in order to get that level two certification but if you're going to go for level three which I want to make a note on level three it's not currently released or approved yet they're actually working on the level three certification right now so if you're trying to go for the highest level

certification of the cmmc model level three is not going to be it until it's finalized within a couple years and I don't even then I don't know if level three is going to be available but they take n 171 they take this framework and they they c car out of three different levels and the two very Key Parts depend depending on what kind of certification you're going after whether it's a level one or level two depends on these two Ops right here does your company organization only handle FCI data you're probably going to be a level one go after level one certification if it's cui data then you're going go after level two if you want my opinion I would

just go after a level two and call it good level one's great uh it's cheap you do a self assessment but level two is going to cover all of your bases again for level ones FCI data only government contracts uh emails any type of communication you have with the Department of Defense uh they want should be level one certified if you're handling FCI and cui data they want you to meet a certain level of strictor security controls based on the N 171 and then again level three this is going to be your Advanced protection so when level three comes out it's probably going to be more of your classify data um so like Bing's working with the

government on some classify data we're going to have more stringent security controls in place for a it's going to be easier to give you guys example so we know FCI data uh we don't want it to intent for publicly release is there n National Security concerns if is opposed to public there is but it carries a less risk than cui data now cui data is actually going to be more riskier and damaging to National Security if it is released publicly either on purpose by throat actor by accident and so with that it's good to understand what constitutes FCI what constitutes CI your FCI data there're just quotes contracts that you have with the government could be an internal

email if you're working with a commander of a base you're emailing him that's going to be FCI data any type of manuals that your company or yourself that you write for these uh for your product or service that you're selling to the government to the dud specifically uh that will be considered FCI and then any type of payment information to the pay the amount uh TI to the tied to these government contracts are considered FCI one thing I found really interesting is that meeting schedules in participants so you're probably thinking hey does my Google Calendar meet uh with some military professionals count as FCI more than likely it probably does and then so we look at cui again this is more the

stuff that has a better risk or higher risk to National Security and so if you look at cui the specific Blueprints and drawings of the service or product or military base so if you work construction and you are building walls for a military base that's going to be consider considered cui data uh same thing with uh any type of software service that you're selling the dod or a govern inty the actual source code is going to be CI data any type of pii within those negotiations or contracts are going to be considered COI data and then any type of legal documents agreements or any type of contractual agreements that are marked cui will become cui and working in the government and

the military part-time this could just be an FCI document here but if you see a doc Mark cui at the top and at the bottom of a document that is automatically cui data it doesn't matter what's in here uh it could be a meme of a cat it could be an address of the military base which that's public as well that will be cui data so you need to follow that cui data security controls um does that mean you need to change the level certification not necessarily there is some forgiveness there but this is why I keep preaching just go after a level two certification in case you be run into this so if you see those two markings

make sure you handle that uh very securely so you're transferring that uh using encryption uh you're making sure that it cannot be there's a risk of being publicly exposed uh there's a bunch of stuff that you can do but very important because a lot of people in the military do violate that that policy there so we have an overview of the cmmc uh what is this Miss 171 and what does it really contain um this is Edward Norton for Fight Club if you have insomia or sleep issues read this 171 and that'll cure it you guys can vote me on that c insomia is reading this 171 but uh outside of being funny this gives you a framework

it's really it's called protecting uh control and classified information in non-federal systems organizations so that means they're providing you security controls in their framework and how you can protect that FCI data so that doesn't mean within the government itself you know if you're working on Military Base they're going to follow this 171 it's your company organization handling FCI or cui data or a combination of both and they give you the SEC security controls that you need put in place to transfer to secure that data and that is the main goal in this 71 and that is broken down out of 110 security requirements into 14 different families the biggest one out of all the controls is access control and if I was

building a policy or procedure around this that's what I would really focus on because there's 22 different controls within the access control and this is going to be who is accessing the FCI or cui data who is reading or executing the FCI or cui data what kind of service accounts have access to it what kind of domain accounts have access to it and so this is actually spread out across the entire framework and they're broken up into different types of controls but the most that you're going to find that have the most number of controls is within that access control and then uh going through these 14 different families not touching on all of them but it's just your general

cyber security hygiene and framework and so if you're already doing the basics and you're do you're doing pretty well so if you have segmented networks forance the areas if you have encryption that Transit and add rest if you have um arback policies and pan policies already in place I I would be shocked that if you would be a majority of these and then the last two just into respon and Personnel security but the reason why this is so important I want to touch on both this 171 and cmfc is because uh it's coming towards public institutions not just government Department of Defense contractors but they're looking at applying two public institutions so now outside of Education

I just grabbed this article they're looking to apply the cmmc framework to public institutions by October 1st 2025 um that date still they're still trying to figure that out because they received some push back I've heard 2026 might be the extended date but they want to apply this framework because uh cyber security is such a huge issue right now I don't know if you guys anybody watches the news but there's a lot of attacks happening against the infrastructure there's a lot of attacks happening against public Institution there's attacks happy is County collectors and so they want to push this basic hygiene framework down to these organizations to help protect against that is that going to defeat all taxs

absolutely not but it's going to help forward some of these attacks that are just basic so this is coming down the pipeline um it's one of the things that companies are kind of pushing off until the very last moment again there's different talks of this one says 2025 but then I've seen other days in 2026 is the government it will probably change uh in tomorrow or three hours but this could I would say 2026 your company needs to be if you're seeking to new business or new contracts with the government or you're going to handle its data you would get certified by that 2025 date and I would stress that you know appropriately 2026 I don't see that

happening it's probably going to be finalized by then the final call outs and rules will be approved and they'll say just go ahead and implement it bring onuse and if your company is interested you know right now this might be them doing Federal contracts and celebrating but if you don't meet that level or that cmmc assessment this could be you and as you guys know these are shading BT but I want to stress that some companies are really pushing this off and they're going to lose out on revenue and if we work in cyber security we work for companies you know revenue is probably the number one thing on your CEO or CFOs mind and so uh losing that certification

losing government contracts could have implcations to your organization and I want to create throw some other generating pictures on here so I want to n shaking hands with the cmfc and I don't know why Chad as a scientist shaking hands with the night I was absolutely just didn't know what that I said okay so I need who is n and who is cmmc so Chad gbt gave me a scientist shaking hands with a soldier I guess this is the scientist and cmmc is the soldier I have no clue why so uh use chat gtt with your your own rist cool so we got cmmc we got this um we want to go after a certification well the very first step

whether you're seeking level one or level two is that you have to audit your own network and you need to gather your own data so your network diagrams all of your policies encryption policy it security policy onboarding policy offboarding policy password policy data classification policies uh you need to look at all of your Hardware devices that will be accessing this protected Network so you have to gather all this information or this is pretty important here if you guys use a manage service provider I know there mssp so manage Security Solutions provider um they will need to provide all this for you if they do manage your network this one of the things that you need to gather all of

your data first before you can start the process because it'll make your life a lot easier rather than trying to find and hunt for this information and then you need to know what your data data classification are so when you're handling FC C and cui data you know where is that going to sit uh how is that going to be protected so again segmented FCI or COI data how is it protected through encryption at rest and at Transit uh what ad users what devices what Hardware devices what service accounts will be accessing this data all that needs to be documented so when you have all that information you can choose the level that you want to go after again if

you're handling just FCI data along you can go after level one the the assessment process is really easy and if you're doing the basic hygiene cyber basic hygiene you're probably going to beat it um I did do one assessment they had a negative score so they did not meet that basic cyber hygiene but this is what was a really small Mom and Pop shop and then the owner and operator was also the IT director so it's a tough life but on the same hand like it's one of the things that you have to work towards if you're looking for CMC level two again more strer requirements and the two families of Frameworks that were not required in CE see level one are

required level two and then level three again it's still in review we don't know a whole lot about it but depending on which one you want to go after this is the typical process of the data Gathering so this is a spreadsheet that I use to analyze and these are foror Level ones but you need to know your company name uh the documents you're going to be creating so you're taking all this information you're going to be creating security policies and those security policies are going to match to that n 171 so you know a company name need to know your CEO your CFO you need to know your head of HR um who will be managing all these systems

your it directors who will be responsible for revising these policies typically your isos or your cisos and alongside that when you're planning all this in the network and segmenting the FCI or cui data this is pretty important over here so you need to know all your external service providers how you transmitting your emails and Communications to these government officials you need to know your compliance policies your boundary protections so again your firewalls whether it be a foret cloud flare whatever it is uh what kind of public access and separation you have so you're segmented Network that's going to be handling this data and then all this right here is all your annexes so you're going to be attaching into all of your

service accounts everybody has access to the FCI or cui data all the hardware that touches your FCI and cui data all your mobile devices uh all your fiscal access devices attached to all of these documents and there's a couple there's there's a couple tricks you can do here but you need to gather all that information put those in a spreadsheet put them on a document and then you're going to have to attach those to those policies and then for those who don't know a cage code that's just a unique code they assign to you so when you're doing DOD contracts they give you a number that you put in but you'll need to know that as

well okay so we take this information and we're creating our policies and this is just a template of what these policies are so typically it's a company logo with your company name and then we're meeting the N 171 control right here and then your document ver verion if this is your first time doing it obviously it's going to be one and then the release data when this is made public to your internal organization and so between your data Gathering process you need to know the roles and responsibilities of each user you'll throw those into into a table within this document so your executive leadership typically will improve and support the policy uh your CIO they

develop the policy and they will implement it and then the enforcers the ceso will come in and enforce those policies and then it's up to the users to actually report on those policies if there's violations that are detected and that's typical in every Access Control document that you have and so going further into it and this is where you need to map those security controls to nist 171 so this is a guide over here just to tell you what forit counts you need to gather for those annexes but this is where you're going to map the external connections to that access control and the L1 is for level one so if you look up the M 171 guide you look up that

security control that's where you'll take that information of all your data Gathering process and then you'll map out how you're protecting and what external connections will be on that FCI or cui data your Annex should look like this for your Hardware List mobile devices so what is the unique identifier to the switch to the router to the firewalls all of the devices that are protecting that FCI and cui data that will can give you listed in one of your annexes looking at another policy that we typically use so this would be your authentification and authentication policy so how are you authenticating users making sure who they are who they say they are again you'll be taking all the rules and

responsibilities applying that to that same document creating a revision number rision one and anytime you update that policy that would need to be updated but then we get into mapping all the controls uh from nist and so you'll need to list all of your user accounts and processes so all the user accounts uh both standard users how the Cadence is so typically it's like first name got last name organization what cadences or the nameing convention for your privilege users for your administrators all that will need to be documented in all of the policies that you create to go after the certification and then you'll need a list your authentication policy typically that's your password policy or if you use like certificate

certificate based authentication that will be listed in this block here and then all of your uh appical policies to this so this could be your physical password policy attached to this document and those are all attached right there so what I tend to do and what I've seen in the past is that you'll attach just all of your relevant it policies to that last page there and the otter seem to like that so and again this is see this is the biggest thing because a lot of companies and a lot of organizations that I work with don't have a lot of this inventory stuff but if you are a mature organization you may have this

but you'll need to attach all your anxs to these documents as well um oh yeah the trick the trick here is is that you can take that little line and just say please see list in the it manager's office and if you don't like the It manager then he'll get a bunch of Auditors to his door and we all win but but you can actually just change that and have these lists printed off somewhere in a lock drawer uh I think a GSA save is what they recommend but if you if you put behind a drawer and a locking key or if you have a knock you can just throw it in there make sure

it's not being seen through a window or anything you can just change that and that should be good for the Auditors so we created the policies we audited our own environment uh all of your weaknesses all the stuff that has been missed will go in this it's called poam and that's a plan on action a milestone worksheet um this is where you know so let's say you don't have a segmented Network for Sci data you will note that please please do that because that's not a good thing you need to have segmented network but you will identify that and then you'll also assign a value to it so all of these weaknesses have some sort of value I think it's like one

to five and if you don't have it's like been a network for FCI data uh you will receive a five and so you list all your weaknesses uh you you you add in the control and then you have uh who's going to be the system owner to actually fix these weaknesses so could be you could be your it manager could be the security department uh you need a scheduled date an identified date uh when you plan to actually fix all these weaknesses and then you also need a date when it's actually complete so if you don't have a a centralized patching server for your you know devices accessing some of this stuff and then you went ahead and got

like a secm in place uh you will know that date when that was fixed and then you mark that off for poam but essentially you will go ahead and self assess and add up all of your points in this column here and then you'll take that final number and then you'll subtract that from Once in and that'll be your Sr srpr score that submit for your assessments and then down here in this box this is just your system security plan again this is some of those weaknesses you may have medic to help you generate a score on that but all that's pretty self-explanatory in the N 171 okay so we have our data uh we built

all of our security policies out how do you get certified I'll be honest with you level one's actually super easy I would be shocked if anybody reads A lot of these things uh however so you go through you get your score and then you go ahead and turn that into um the dod DOD will simply will give you your certification and now you can go after those FCI contracts uh some key notes Here is that uh you want to have everything documented so again creating all those policies and mapping all those n controls to those uh policies you need to have some sort of digital copy or physical copy of those because anytime an auditor comes by and they want to

audit this information and let's just face it as the government they can do what they want essentially uh you need to have those be able to reproduce those does it happen a lot I haven't necessarily seen it but I'm sure it will happen once we get closer to that cmmc date but essentially uh you'll go to a website one you'll go to your website you'll submit your score uh you'll create all your proper accounts and then once that gets approved then you get your level one certification now a level two you need to do all the same things within a level one but alongside that you need to contract a thir party which is called a

C3 Pao and so what they'll come in is they will audit your environment and see if you're going to meet that level two certification and so they do an entire Gap analysis you'll still need to do self assessment to get your score but then your C3 Pao will actually have your official score and once they're done with their audit of your network they will grant you your certification and then you can get your level two but if they don't grant you that obviously you're going to get you a little two certification um again if for me I would go after level two just because it covers both FCU and cui data even though you're not going to handle um CI data I

think level two is probably a better process but it also brings up your cyber hygiene a lot as well so if you're looking for level one uh we did the self assessment we got our policies baked in we have all of our information ready we did the we did the scoring system so we're going to take ours score and we're going to submit it to the P these acronyms are fun right it's all government acronyms so any form military in here anybody okay acronyms acronyms acony you guys get it great but yeah we're going to take submit that to the procurement integrated Enterprise environment and they will probably get back with you pretty quick however you

can send your self level one self assessment score to the Navy to some sort of random mailbox on the Navy I wouldn't recommend doing that you're probably never going to hear from them again so but you'll need to submit your cage code your SSP your poams you need to submit all of your policies and procedures whole score you need to send them everything throughout your level one assessment to that random mailbox I wouldn't do it but you know I've seen crazier things again level two just going back to that C3PO is going to do your audit they're going to S the scores and you'll get your certification love one super simple but um some of the things I want

to communicate communicate to you guys to look out for is that um the final revision I think they're going to include that your MSP that you're using is going to have to be certified for the levels certification that you're going after so if you're going after a level one uh your MSP or mssp is going to have to be a level one certified MSP uh you'll no be able to longer use you know Fred's Computing down the street because they're super cheap um if he's not level one certified the same thing with level two you're seeking a level two certification your MSP or mssp is going to have to be um a c a level two

certified shop uh I would now would be the time to actually uh turn off all of your weak ciphers and TLS protocols that are no longer supported because as you do these audits or as you continue to do these assessments uh they're not going to approve any network that's going to say hey we still operate sslv2 um and that's a terrible idea so please don't do that so make sure you turn those off and tell your customers that are supporting uh those old protocols just to fix their stuff I would use another word for that but yeah we got kids in room so I don't want to say that word but fix their stuff uh

turn off those protocols use modern ciphers use modern encryption uh also um encrypt your hard drives so any of those clients that are accessing the FCI or COI data need to have like bit blocker or some sort of encryption on the hard drive but most important out of all this is that the false claims act if you are going after level one or level two certification anything that you say that you're doing and they come in and you're not doing your organization or yourself can be a hell under the false claims act uh we have seen that in the industry uh and it seems to be going that way and I think is probably going to get more as

the government can't make their debt payments so they're going to look for other sources of revenue so please please please please only put in those documents and policies whether it's level one or level two do or say what you're doing and how you're actually implementing these n 171 controls because they will come after you for that under the false claims resources uh there's really not anything better than outside of the N 171 or the cmmc documentation uh they both really good guys again I was kind of joking around like they just put you to sleep that part is true if they do put you to sleep but they do give you a good guidance it's probably some of the

better government documents that I've seen out there to give you the insights of the level one and level two scoping guidance cool that was really quick uh I think I'm within time so yeah yeah so this is Q&A I'll open it up there's my contact but hey we got saw you back there first can you go back to previous the SL yeah than that's it oh man I didn't expect any questions guys okay all right we'll go with you I'll my way uh so for small businesses going after DOD contracts is there a size of business where a impactable to pass this to need be a certain minimum size any size whether you're one or 10

man shop if you're going just FCI data level one's simple to do I say simple it's not easy but yeah it size is that true of cui as well yeah same with cui Y um do you think that it's never G to bleed into like other types of Institutions like financial and all yes yep um I haven't seen it I I can't so I can't point you to sour like this is going to be it but they're talking about like County collectors and stuff trying to implement some of the stuff on the local at the local level as well so assess and authorized but once they're actually approved how often do contractors have to E's requirements is

it similar to what pretty similar uh level one so you have to do an annual assessment but if you they don't see progress towards that 110 score uh they will like call you like hey what's going on on the level twos I can't remember how many times the C3 Pao assess but it's like a trianal I can't that right they think they do it three times a year to assess against your network just to make sure nothing has changed um but also in the level two you have to do that three to four times a year assessment but also your annual assessment on top of that but um level one's just another annual assessment yeah this onetime score where

you subtract your findings you add to find those and you get your total score and then you issue issu poams to correct these deficiencies are you still qualified at that time because you haven't appli in yeah as long you don't have like a negative score like they're not going to be like hey you can't be level one certified but if you get that same score in your next annual assessment they're probably they're going to tell you sorry you're out of luck just you need to show progress that you're actually working towards full Appliance that's the biggest so that's actually a good good question thank you for that you see that 110 score you don't have to meet that 110 strictly

they just want to see you work towards that 110 score so if you get like a 25 um and they're like that's not good at score by the way but you're wored towards a once in score your next annual assessment just as long as you're making progress they're okay to keep that level one certification I'm going go with him real quick I'll come back to you um two questions first one easy I was uh pretty to maybe a that c3p or say they were human Queen is that really not the case and has that been the case very long so a good a good resource for a lot of the stuff is like cyber a.com that'll list

your C3 paos I haven't seen it it seems like there's a surplus of those guys out there and they're reaching out they're cold calling people about this I'm not a CPO um I haven't really necessarily worked with him closely that's somebody else I work with but you know they he hasn't really had issues finding those people the second one I had think for the first was more along the lines of the small business question right we're talking about seei for talking about that level two need certif me um it it looks to me that there's going to be this divide of I can get there but I'll never make that much revenue and so now I just need to just

St um is there going to be an ability for any of those that traditionally do this type of work but maybe rest strictly doing to enel under a more of a primary contractor inex to where they're using their level of compliance their I don't know if that's talk or is it more so get ready to oh oh man that's a big question it's a little bit of both um I would say for you know if you're if you're seeking a level two certification the easiest way to get that is to move it to a clock provider with a th client background um that might be a little bit upfront cost but I know with these bom pop shops

they're actually looking at these data centers that are providing the service and they're matching you know because they act as an MSP but they're matching like your number of assets or whatever and sometimes it's a cost save by doing that just by moving to that data center um you know it's it's really hard to maintain especially these smaller shops where you're the operator and owner and you're also the IT director like those people I just tell them if you can go find a data center that provides to service that's probably the best way now that's going to hurt in the short term but the long term to continue your Revenue model that's probably the best

bet for both people goog yeah go ahead how about of a significant effort would it be to go from let's say so 2 or ISO 2 27,000 in1 to level to CC it's completely different it's the government they complicate things now you're already Meeting those compliance Frameworks so or whoever you know your organization you're probably good but level two they're very very stringent since it's dealing with that COI data on what controls you need to meet I know socks is not going to meet every single control that n171 or ISO 270001 is the same thing so you definitely have to audit everything you know we got to map each control to what this 171's going require to that

level too so thank you I actually did not expect any questions I expect every just to leave so thank you for your time guys Round of Applause